Eric Rescorla has entered the following ballot position for draft-ietf-pce-rfc6006bis-03: Discuss
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-pce-rfc6006bis/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- The Security Considerations is worrisome, as it points to RFC 5440; Section 10.2, which basically recommends TCP-MD5: At the time of writing, TCP-MD5 [RFC2385] is the only available security mechanism for securing the TCP connections that underly PCEP sessions. As explained in [RFC2385], the use of MD5 faces some limitations and does not provide as high a level of security as was once believed. A PCEP implementation supporting TCP-MD5 SHOULD be designed so that stronger security keying techniques or algorithms that may be specified for TCP can be easily integrated in future releases. The TCP Authentication Option [TCP-AUTH] (TCP-AO) specifies new security procedures for TCP, but is not yet complete. Since it is believed that [TCP-AUTH] will offer significantly improved security for applications using TCP, implementers should expect to update their implementation as soon as the TCP Authentication Option is published as an RFC. Implementations MUST support TCP-MD5 and should make the security function available as a configuration option. TCP-AO has now been published as an RFC for quite some time, so it's probably not really appropriate to just point to a document which recommends TCP-MD5. _______________________________________________ Pce mailing list Pce@ietf.org https://www.ietf.org/mailman/listinfo/pce
